rprf Menu

About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

March 28, 2011

The nitty gritty of money transfer operators (MTOs)

When a friend of mine was travelling across Cambodia last year, he had a common, yet frightening, experience of the solo voyager: his wallet was stolen. Luckily, despite the seeming remoteness of his beach vacation, there were several Western Union agents in Sihanouk Ville. His parents were able to send him enough cash to finish out his trip. While losing his identification was still stomach-gnawing, he at least had the money to pay for lodging, food, and transportation. The global reach of money transmitters offers a clear value to travelers and migrants, but may also be valued by those wishing to exploit the companies for more nefarious purposes.

The reach of MTOs across the globe is a remarkable business accomplishment. Western Union or MoneyGram agents can be in from the smallest American town to the remotest corners of the globe. Western Union currently boasts 445,000 locations worldwide, and MoneyGram offers another 227,000. This already expansive agent network is quickly growing, with Western Union adding 150,000 locations since 2007. These MTOs serve the financial needs primarily of migrants—a significant portion of the worldwide population—offering not only money transfers but also ancillary services like prepaid cards, money orders, and walk-in bill payment. Immigrants in any given country are often unbanked or underbanked, yet often need to send cash remittances to family back home. MTOs are able to charge a premium for services that customers see as reliable, fast, and private.

But how exactly are these international money transfers executed? In Western Union's case, agents take cash from remitters and enter confirmation of cash receipt into Western Union's messaging system. The agents also collect data on both the sender and recipient. On the receiving end, the recipient in most cases presents photo identification at his or her local agent to pick up the cash. Western Union net settles with agents at the end of the day via ACH, if that service is available in the country, or by wire otherwise. Western Union has some intraday credit exposure to the transaction, as they commit to reimbursing the receiving agent regardless of the sender's solvency at the end of the day. Therefore, a Western Union transfer consists of three different streams: the flow of information between the sending and receiving agents via their messaging system, the separate communication between sending and receiving customers, and the final flow of funds between Western Union and the agents. MoneyGram's system operates similarly, but typically at a somewhat lower price point.

What are the risks?
The primary concern of regulators and law enforcement vis-à-vis MTOs is the risk of illicit use—bad actors taking advantage of these global networks to launder money and finance terrorism. Unlike banks that establish long-term account relationships with their clients, MTOs offer one-off transactions with more limited customer data. Consequently, MTOs may lack the relationship-level depth of customer data that banks have access to for risk mitigation purposes. Western Union has proactively led anti-money laundering (AML) compliance efforts in response to such fears. In 2010 testimony to Congress, Western Union reported spending more than $35 million annually on AML compliance. Although MTOs are global in scope, regulatory oversight is inherently limited to specific jurisdictions, and therefore the firms must interact with many different regulators and law enforcement agencies. MTOs currently operate under a complex structure of state, federal, and foreign regulation. Western Union has advocated for more consolidated regulation at the federal level, which may be in the cards, as the new Consumer Financial Protection Bureau (CFPB) will have jurisdiction over MTOs. Of greater concern may be unregistered MTOs, which operate outside the rule of law, and against whom FinCEN regularly brings enforcement.

The remittance industry has come under increasing scrutiny from government regulators and others in connection with its ability to prevent its services from being abused by people seeking to defraud others.... [T]he ingenuity of criminal fraudsters, combined with the potential susceptibility to fraud by consumers during economically difficult times, make the prevention of consumer fraud a significant and challenging problem. (p. 27)

The global ubiquity that lies at the heart of MTOs' value proposition is also a key risk factor for illicit use and fraud, as criminals may leverage the systems to divert illicit gains outside the jurisdiction of their crimes. While some companies have recognized this risk and actively worked to mitigate it, others may need regulatory encouragement. How can we most effectively monitor such expansive entities? How can industry and regulators better collaborate to bring unregistered MTOs into compliance with existing laws? These questions will be increasingly important as the CFPB moves to more rationally and comprehensively supervise this dynamic industry.

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

May 24, 2010

Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

Comments

Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.